Hackers spread Mars Stealer via spoofed OpenOffice downloaders

Hackers Mars Stealer Spoofing OpenOffice Downloader Installer Malware Info Stealer

Mars Stealer, one of the newest info stealers in 2022, is now rising to the spotlight upon cybersecurity researchers noticing its recent launches of large-scale attack campaigns. From its past name, Oski malware, which has shut down in 2020, Mars Stealer presents its improved and extensive information-stealing features that target a wide range of software and applications.

The info stealer malware is up for purchase on underground forums for prices ranging from $140 to $160. As it gradually grew as an independent malware, its operators were overwhelmed by the influx of cybercriminals that bought it after the notorious Racoon Stealer had shut down its operations.


Mars Stealer became the newest catalyst of cybercriminal info-stealing campaign operations.


Cybersecurity researchers recently discovered new campaigns deployed by threat actors, including the spread of the cracked version of the Mars Stealer in attack operations.

One notable campaign that the hackers perform using the info stealer is its use of Google Ads to rank a malicious spoofed version of OpenOffice to the Google search results for users based in Canada.

Even though OpenOffice has already been bested by LibreOffice when it comes to consumers’ interest, many users still prefer to use it, especially those that need a free document and spreadsheet editor. The unpopularity of OpenOffice became an advantage for threat actors to exploit it, with high chances of avoiding flags and reports from authorities.

Once users install the spoofed OpenOffice on their computers, the Mars Stealer will immediately work its way to infect its victim.

However, the instructions attached on the cracked version of the info stealer had some errors, exposing victims’ data and logs directory to the public. The leaked log is contained in a zip file that consists of the victims’ stolen data and is uploaded to the C2 servers of the operators.

The collection of stolen data from the zip file holds the victims’ auto-fill credentials, credit card details, browser extension details, IP addresses, time zones, and country codes. The operators made the mistake of infecting themselves with Mars Stealer during a debugging process, exposing the collected stolen data and their group’s identification.

For this reason, experts were able to identify and attribute them as Russian-speaking threat actors, alongside their GitLab accounts and other useful details.

Experts recommend avoiding unofficial third-party sites when downloading software, specifically those in the Google Ad search results.

About the author

Leave a Reply